310 rspec-rails 1.3 compatibility fork for Rails LTS 2.3

An expectation like this will fail with Rails LTS 2.3:

should render_template(:edit)

The error will look like this:

expecting <:edit> but rendering with <"">

This is an issue with rspec-rails 1.x monkey-patching into ActionController during controller specs.

Fix

To fix this, use our compatibility fork of rspec-rails 1.3.

With Bundler

If ...

311 rspec-rails 2.14 compatibility fork for Rails 3.2 LTS

With Rails 3.2 LTS your RSpec 2 controller specs might fail with an error like this:

NoMethodError:
  undefined method `[]' for nil:NilClass

Fix

To fix this, use our compatibility fork of rspec-rails 2.14.

You can switch to the fork by updating your Gemfile:

gem 'rspec-rails', :git => 'https://github.com/makandra/rspec-rails.git', :branch => '2-14-lts'

Now run bundle update rspec-rails.

401 [CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)

There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.

Affected versions: Rails 3.2.22.9 LTS and lower, Rails 3.0.20.12 LTS and lower
Unaffected versions: Rails 2.3 LTS

Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not af...

Change to ActiveRecord deserialization (CVE-2022-32224)

Mimicking the offical change in Rails 5.1.8 to protect against CVE-2022-32224, all versions of Rails LTS try to use YAML.safe_load to deserialize database columns in ActiveRecord. This is a potential breaking change.

Background

When using something like

class MyModel < ActiveRecord::Base
  serialize :address_data
  # or alternatively
  store :settings, accessor: [:color, :homepage]
end

ActiveRecord will use YAML to serialize and deserialize data. However, YAML deserialization using YAML.load (or explicitly `YAML.unsafe...

Installation instructions for rails-ujs or jquery-ujs

We maintain several forks since [CVE-2023-23913] of rails-ujs and jquery-ujs.
Since each Rails app has a different way of handling asset packages, we introduced several new forked packages with a fix.
If you want to install one of those packages, please replace your npm package or gem with one of our forked versions.

Use the NPM package @railslts/jquery-ujs to replace the jquery-ujs NPM package, e.g. with npm install @railslts/jquery-ujs.
Use the NPM package @railslts/rails-ujs to replace the rails-ujs NPM package, e.g. with `npm...

Rack has been added to Rails LTS

Historically, the "rack" gem was not part of Rails LTS, simply because it was maintained and released separate from Ruby on Rails. However, since Rails cannot work without Rack, and since Rack did have a few minor security vulnerabilities, we've been maintaining forks of Rack on Github for a while.

This has now changed and Rack is now a core gem of Rails LTS. This means:

  • We are committed to maintaining and patching Rack, and will make sure it works on the same Ruby versions that Rails LTS supports.
  • We will serve rack over our gem server...

Ruby 3.1 support for Rails LTS

We are pleased to announce that all versions of Rails LTS now support Ruby 3.1, additionally to all Ruby versions we previously supported.

As always, "support" means:

  • You should not run into errors that cannot be solved without changes to Rails.
  • We did our best to not require you to make too many changes.
  • There will most likely be issues within your own code and with third party gems.

We have successfully upgraded a medium-sized app to Ruby 3.1 for each version of Rails LTS without major trouble, but **be aware that this upgrade wi...